The General Data Protection Regulation (GDPR) compliance is often considered a burden. However, we believe in looking at it from a different perspective: GDPR compliance is a tool organizations can use to build trust. By processing personal data in accordance with the GDPR you do not only prevent data breaches, it also provides a platform for you to earn your customers’ trust. Transparency is key within the GDPR. This principle is expressed in a number of rights awarded to data subjects.
The first right of data subjects under the GDPR is the right to be informed. By properly informing data subjects they are more likely to trust your organization and the way you process personal data. In this blog we explain the way you can use GDPR compliance to build trust with your data subjects, and how compliance to the Right to be informed helps you do just that.
In January 2019 the French privacy watchdog CNIL announced that Google had fallen short in providing correct and comprehensible information to its data subjects. The information provided by Google was either incomplete, difficult to find, or too vague. Since the GDPR states all information provided to data subjects should be clear, comprehensible and easily accessible, the CNIL imposed a financial penalty of €50,000,000 (around $56 million USD) against Google LLC.
Data subjects can claim several rights under the GDPR, obligating data controllers (the organization holding the subject’s data) to respond accordingly. This implies certain risks, such as the risk of data subjects obligating you to change your processing activities or submitting a complaint to their national Data Protection Authority. Issuing a clear, complete, and comprehensible privacy statement on your website manages that risk. Keep in mind, this is not meant to be boilerplate small print that no-one ever reads. Authorities are unlikely to accept endless provisions and disclaimers as clear or comprehensive.
In the privacy statement organizations should disclose any third parties they share personal data with. When an organization’s privacy statement does not clearly state which data is shared with a third party, they are not compliant with the right to be informed. The privacy statement is not just obligatory for organizations processing personal data of EU citizens, it is also an opportunity to present yourself as a privacy conscious organization. By clearly and unambiguously informing data subjects of the ways you process their data, data subjects know exactly what to expect from your organization and are more likely to trust you to process their personal data.
The GDPR obliges controllers to inform employees of company policy. It is important to make employees aware of the legislation of the GDPR and how this affects the way they handle personal data. When employees are not aware of company policy on personal data organizations are taking a big risk. Ensuring employees are aware of the implications of GDPR legislation is an important factor in risk management. For some organizations it can be useful to manage GDPR compliance in one centralized system. In this case it is paramount to properly instruct employees in the use and workings of the system. Addressing employee awareness mitigates one of the largest risks in GDPR compliance: a lack of trust.
If you would like more information on the obligations of data controllers under the GDPR and the best way to implement this in your organization, please do not hesitate to contact Audittrail. We are privacy compliance specialists with extensive experience in helping organizations on the road towards GDPR compliance. Some of the products we offer are the privacy baseline status assessment, our privacy compliance management framework, privacy maturity level assessment, and standard documentation sets.